Lenovo Fingerprint Manager has a serious security flaw

by Mark Tyson on 30 January 2018, 12:31

Tags: Lenovo (HKG:0992)

Quick Link: HEXUS.net/qadqcs

Add to My Vault: x

Many would agree that the peaks of the recent computer news landscape have been terraformed by security flaws and their aftershocks. Adding to this expansive landscape of security vulnerability news, Lenovo PCs with fingerprint readers have been harbouring a gaping vulnerability for quite some time.

Ironically the vulnerability exists within Lenovo’s Fingerprint Manager Pro – an accessory program which facilitates ‘fast, secure, biometric security’ via the built-in fingerprint sensors within a range of Lenovo Think-PCs. In Lenovo’s own words the problem is as follows:

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”

In Windows 7, 8 and 8.1 PC systems, Lenovo fingerprint reader equipped machine owners can use their fingerprint to log-in to the PC, and to access pre-configured websites without having to remember/type passwords, thanks to the bundled accessory software. Windows 10 users won’t be affected by the vulnerability described above, as they use Microsoft’s built-in fingerprint reader support.

Thankfully the Lenovo vulnerability is rather easy to fix. All you have to do is update Fingerprint Manager Pro to version 8.01.87 or later.

Lenovo has provided a list of systems which may come with the affected Lenovo Fingerprint Manager software:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900


HEXUS Forums :: 3 Comments

Login with Forum Account

Don't have an account? Register today!
“a vulnerability has been identified in lenovo fingerprint manager pro. Sensitive data stored by lenovo fingerprint manager pro, including users’ windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”

Rofl. That is not a vulnerability, that is chronically poor design and QA. Who signed off on that?
With all of the bad news lenovo gets, I'm not sure I'd ever consider getting one.
Yep this is getting beyond a joke now PC industry. God sakes.